If you’ve followed the suggestions in the Protection and Cleaning threads, and are still having problems, you most likely have an infection that will take some specialized tools and/or processes to remove.
Before requesting assistance, it would be helpful for you to read
How To Ask Questions The Smart Way --
http://www.catb.org/~esr/faqs/smart-questions.html
The primary tool you will need to begin removing infections is HijackThis --
HijackThis (aka HJT)
{
WARNING -- We ask that all members who use the advice given here to be prudent before deleting any files by backing up their data. There may be occasion when, unfortunately, the wrong advice is inadvertantly given. Hijackthis is a very powerful tool and must be used with wisdom. If there is anything you are uncertain about, search Google for information while waiting for a response from our members here. Assistance is offered in good faith and should be received in good faith. It's a wise person who makes sure their data is backed up safely before diving deep into the heart of their Operating System, and that's exactly what HijackThis does. Remember we're all here to help and not everybody is an expert. And even the experts don't necessarily get it all right all the time. A little wrong move, a bit of bad luck, and your system might stop working altogether! It doesn't happen often but it's YOUR job to be ready in case it does.}*
You can get a self-extracting version of HijackThis from here (in line 2):
http://www.malwareremoval.com/downloads.html
Here is a link to a tutorial to help you learn to use HijackThis yourself as you follow the given instructions:
http://www.bleepingcomputer.com/foru...howtutorial=42
For help with booting into Safe Mode, when necessary, see
http://www.pchell.com/support/safemode.shtml)
Part I – How to use HijackThis, the basics
After you download HijackThis,
close any open browser windows, double-click on the
hijackthis.exe icon that is on your desktop, and then click the
Do a system scan and save a log file button. Note: you should not scan with HJT while in Safe Mode unless instructed to do so.
HJT will scan your system (rather quickly), and a new window will pop up giving you the option of where you would like the log to be saved; save it in a location that will be easy for you to locate. As soon as you do this, the HJT log will be presented in Notepad, similar to this example of an actual scan:
Logfile of HijackThis v1.99.0
Scan saved at 6:31:44 AM, on 7/8/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
E:\Utilities\PestPatrol\PPMemCheck.exe
E:\Utilities\PestPatrol\PPControl.exe
E:\Utilities\PestPatrol\CookiePatrol.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\WINDOWS\msagent\AgentSvr.exe
E:\Utilities\hijackthis\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Utilities\SpywareGuard\dlprotect.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [PPMemCheck] E:\Utilities\PestPatrol\PPMemCheck.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] E:\Utilities\PestPatrol\PPControl.exe
O4 - HKLM\..\Run: [CookiePatrol] E:\Utilities\PestPatrol\CookiePatrol.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\Media Players\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Office\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Office\Microsoft Works\wkssb.exe /AllUsers
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: Yahoo! Chat -
http://us.chat1.yimg.com/us.yimg.com.../c381/chat.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) -
http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) -
http://messenger.zone.msn.com/binary...o.cab32846.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) -
http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) -
http://by106fd.bay106.hotmail.msn.co...x/HMAtchmt.ocx
O23 - Service: Adobe LM Service - Unknown - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ewido security suite control - ewido networks - E:\Utilities\Ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - E:\Utilities\Ewido\security suite\ewidoguard.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
Before you post your first HijackThis log, you should review it to assure common mistakes are avoided, thereby expediting the solution to your particular problem.
The first thing to do is make sure you are running the latest version of HijackThis. To see what the current version is, look through some of the recent threads and see what the highest level is. In the example above, the version of HJT running is out of date – Logfile of HijackThis v1.99.0, as of this writing, HJT is at version 1.99.1.
The next thing to check is where HijackThis is running from. HJT needs to be in its own permanent folder so that it can safely save the backups it will create. If it’s in any temporary folder, that’s a definite no-no. Nor should it be running directly from your hard drive or desktop. Proper and improper examples are shown in the example below. Note that in the example above, HJT is running from the E drive (E:\Utilities\hijackthis\HijackThis.exe) even though many of the processes are running on the C drive. HijackThis does not need to be installed on the same drive/partition as the operating system; the important thing is that it be in its own folder.
If you see an entry such as
C:\Program Files\Internet Explorer\iexplore.exe, or
C:\Program Files\Mozilla Firefox\firefox.exe, this means you had a browser window open; be sure to close
any open browser windows when scanning with HJT.
Finally, be sure to post the entire log, including the header information, consisting of:
The version of HijackThis you are using
Time and date of the scan
Your operating system and current update level
Your Internet Explorer version and update level
Here are some typical log entries which users frequently have trouble with; both good and bad versions are shown to illustrate the difference:
Logfile of HijackThis v1.99.0
<-- Bad, older version of HJT
Logfile of HijackThis v1.99.1
<-- Good, current version of HJT (always check first)
C:\Program Files\Internet Explorer\iexplore.exe
<-- Bad, indicates browser was open while scanning (IE)
C:\Program Files\Mozilla Firefox\firefox.exe
<-- Bad, indicates browser was open while scanning (FF)
(There are no good versions of this entry because there should be
no browser windows open)
C:\ Documents and Settings \me\Local Settings\
Temp\HijackThis.exe
<-- Bad, HJT in Temp folder
C:\HIJACKTHIS.EXE
<-- Bad, HJT running directly from hard drive
C:\Documents and Settings\User\Desktop\HijackThis.exe
<-- Bad, HJT running directly from desktop
C:\Documents and Settings\me\My Documents\HijackThis.exe
<-- Bad, HJT not in its own folder
C:\Documents and Settings\User\Desktop\
HJT\HijackThis.exe
<-- Good, HJT in its own permanent folder
C:\Program Files\
hijackthis\HijackThis.exe
<-- Good, HJT in its own permanent folder
E:\Utilities\
HijackThis\HijackThis.exe
<-- Good, HJT in its own permanent folder
C:\
HJT\HIJACKTHIS.EXE
<-- Good, HJT in its own permanent folder
Now, check the log you save against the above entries and make sure you:
Have the latest version of HijackThis
Scanned with all browser windows closed
Have HijackThis in its own permanent folder
If everything is as it should be, please continue on to the next part. If not, make the necessary corrections and save a new log before you continue.
Part II – How to use HijackThis, basic cleaning
There are a
few things you can clean up yourself with HijackThis. This way, when you post your log it will be easier and faster for whoever reviews it to complete the analysis.
When you are ready to fix some things with HijackThis, open it, but this time, instead of hitting the
Do a system scan and save a log file button, hit the
Do a system scan only button. The window that comes up will look similar to the saved log version, but without the header information and there will be boxes to the left of each entry. To have HJT fix an entry, simply click on the box next to it; this will place a checkmark in the box. When you have all the entries selected, click on the
Fix checked button at the bottom. Now, entries you can have HJT fix…
If you have any R0 or R1 entries that have
searchmiracle or
searchassistant, have HJT fix them; here are some examples:
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://
searchmiracle .com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,
SearchAssistant = res://C:\WINDOWS\qhuwh.dll/sp.html#63796
If you see an entry identical to this, have HJT fix it:
R3 - Default URLSearchHook is missing
If you see any
O1 entries, and they are not there for a specific reason that you know about, you can safely remove them.
If an entry has
both (no name) near the beginning, and
(no file) at the end, you can have HJT fix it:
O3 - Toolbar:
(no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} -
(no file) If the entry does not contain
both of these, please do not fix it unless instructed to do so.
O15 entries -- if there are any of these showing in your log that you did
not put in your browsers Trusted Zone yourself, have HJT fix them.
All O16 entries can be safely fixed, as any legitimate ones will return when the website is revisited. Removing these can sometimes cut the length of a HijackThis log in half.
Be sure to close any open windows, other then HijackThis, before hitting the Fix checked button.
Part III – How to use HijackThis, program removal
There are some intrusive programs that you can remove with the assistance of HijackThis; if you have any questions, please ask for assistance before continuing.
To do this, go to Add/Remove Programs in your Control Panel and look for the name as shown in the HJT entry. Then remove it with Add/Remove programs, have HJT fix the entry, and then go to the location and delete the program’s folder.
Example – HijackThis shows this entry in the log:
O4 - HKLM\..\Run: [WildTangent CDA] "C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe" /startup "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0500.dll"
Go to Add/Remove Programs and look for
WildTangent; if you locate it, remove it; then have HJT fix the O4 entry and, finally, go to C:\Program Files and delete the
WildTangent folder.
Below is a list of common programs that should be removed, as they may look in your HJT log. Even if the entry doesn’t look exactly the same, as long as it has
Program Files\
BadFileName, you can follow the removal instructions. The folder to be deleted is highlighted; the program name in Add/Remove Programs should be very similar. If you don’t find it in Add/Remove Programs, go ahead and have HJT fix the entry, and then delete the folder.
O2 - BHO: SABHO - {21B4ACC4-8874-4AEC-AEAC-F567A249B4D4} - c:\program files\
180searchassistant\salmhook.dll
O4 - HKLM\..\Run: [EbatesMoeMoneyMaker0] "C:\Program Files\
Ebates_
MoeMoneyMaker\EbatesMoeMoneyMaker0.exe"
O4 - Global Startup: Gator eWallet.lnk = C:\Program Files\
Gator.com\Gator\Gator.exe
O4 - HKLM\..\Run: [Media Gateway] C:\Program Files\
Media Gateway\MediaGateway.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\
PartyPoker\IEExtension.dll
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\
SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\
Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [WildTangent CDA] "C:\Program Files\
WildTangent\Apps\CDA\GameDrvr.exe" /startup "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0500.dll"
O4 - HKLM\..\Run: [Windows TaskAd] C:\Program Files\
Windows TaskAd\WinTaskAd.exe
Remember to close any open windows, other then HijackThis, before hitting the
Fix checked button.
Now that you’ve cleaned up everything that you can on your own, it’s time to empty your Recycle Bin and reboot.
At this point, if you’re still having problems, you will need assistance that is more specific. Look through the list below for anything that resembles the problem you are still having. If you see anything, go to the post that has the removal instructions for that particular infection. If you don’t see anything, go ahead and post a HijackThis log now in the Virus forum along with a description of your problem.
Infections
ABetterInternet (Fix coming soon, please post an HJT log now)
ABI (Fix coming soon, please post an HJT log now)
About:blank (Post #6)
Adware.ClickDLoader (Fix coming soon, please post an HJT log now)
AntivirusGold (Post #8)
Aurora (Post #5)
Bridge.dll (Post #3)
Browser Enhancer (Post #7)
Cassandra (Post #4)
Collected.5.L Trojan (Post #12)
CoolWebSearch (Post #6)
CoolWwwSearch (Post #6)
CWS (Post #6)
Desktophijack (Post #4)
Dsr/Dinst (Post #9)
Ebates (Fix coming soon, please post an HJT log now)
Error Message 317 (Post #4)
HomeSearchAssistant (Post #6)
HotOffers (Post #4)
Joke.Smitfraudoid (Post #4)
LOP (Post #7)
Martfinder (Fix coming soon, please post an HJT log now)
MediaAccess (Fix coming soon, please post an HJT log now)
MyWay /
MyWaySearchAssistant /
MyWaySA (Post #15)
Nail (Post #5)
Newdotnet (Post #11)
New.net (Post #11)
Newgenlook (Post #4)
Stop
PurityScan Ads (Post #13)
Search Extender (Post #6)
Searchmiracle (Post #4)
Shopping Assistant (Post #6)
Shopping Wizard (Post #6)
Smitfraud (Post #8, and possibly #4)
Specialgoods (Post #4)
SpySherrif (Posts #4 & #8)
Infections in the
System Volume Information\_restore folder (Post #2)
Ultimate Browser Enhancer (Post #7)
Vundo/Virtumonde. (Post #16)
White-Pages.ws (Post #6)
Win-eto/SwapX (Post #10)
Window Search (Post #7)
Window Searching (Post #7)
WindUpdates (Fix coming soon, please post an HJT log now)
YouFindAll (Post #6)
YupSearch (Post #14)
*'Warning' obtained from this thread by Crunchie --
http://www.daniweb.com/techtalkforums/thread12033.html 
Unsolved 
Offline 
